Editor’s Note: This tip is part of SearchSecurity.com's "Eye On" series that brings together various perspectives
on security topics throughout the year from SearchSecurity and its sister sites. In the month of May the series examines virtualization security.
Innovations in operating system virtualization and server hardware permanently changed the footprint, architecture, and operations of data centers. As such, these innovations have also had a significant impact on how auditors must approach the security assessment of these environments
This chapter from IT Auditing: Using Controls to Protect Information Assets discusses auditing virtualized environments, and begins with an overview of common virtualization technologies and key controls.
IT Auditing: Using Controls to Protect Information Assets
Auditing Virtualized Environments
Table of contents:
Virtualization allows the separation of the operating system from the hardware, using a layer called a hypervisor to sit between the hardware and the operating system. The hypervisor abstracts the physical hardware and presents the hardware you specify to the operating system. The resulting abstraction of the operating system from the specific physical server provides tremendous creative freedom for backing up, copying, restoring, and moving running operating systems, complete with their installed applications. Figure 11-1 illustrates the separation of virtual machines from the physical hardware. Notice that complete abstraction from the hardware allows for some interesting hardware clustering scenarios and also enables the groundwork for sharing hardware resources with an outside cloud computing environment.
|Click to enlarge.
Doubleclick to restore.
Virtualization software can be installed onto a bare metal server or as an application on top of another operating system. Many vendors allow the hypervisor to be installed either way, on top of the OS or by itself, without the hassle and overhead of the OS. The software is designed to utilize embedded processor instructions specifically designed to support multiple operating systems. Processor manufacturers led this charge a few years ago, and the highly customized hardware packages by Cisco Systems, VMware, and other global players foretell the intent to package as much power, security, and management as possible into the hardware to support virtual infrastructures. Gartner believes— and the readers of this book will know—that by the time this book is published and distributed, more than 50 percent of the world's servers will be virtualized.
Commercial and Open Source Projects
Several commercial players are in this market, including VMware, Microsoft, Citrix, Oracle, Parallels, Red Hat, and Novell. Some of these players maintain open source projects, including Xen by Citrix and VirtualBox by Oracle-Sun Microsystems. KVM is a popular open source virtualization project for Linux. Links
Virtualization Auditing Essentials
To understand the material in this chapter, you need a basic understanding of the components that make up the virtualization environment. Your role as an auditor and advisor will significantly improve if you understand major technology trends challenging virtualization models.
Security models, business alignment, capacity planning, and performance management are more important than ever before in virtual environments. Smaller environments may have a few virtually hosted servers running on a single powerful physical server, whereas larger environments support hundreds or thousands of virtually hosted servers and desktops running on a complex infrastructure of clustered servers connected to a massive Storage Area Network (SAN). The scale may change the scope or approach to the audit, but the same business requirements and controls exist. Resource management and monitoring of each of the components separately and collectively enable the virtual environment to function.
|Click to enlarge.
Doubleclick to restore.
Figure 11-2 illustrates an example collective environment and several audit considerations. Notice that these considerations also apply to a normal server or storage audit. What's different? What are the security concerns that keep administrators awake? What should auditors explore? The hypervisor has control requirements similar to those found in a server, but it also has unique requirements to ensure that the hosted environment doesn't present additional control weaknesses to the guest operating systems. The guest operating systems have unique control requirements because of the necessity to keep appropriate segregation controls in place between servers. Mildly complicating this mix are different conceptual approaches to creating the virtual environment.
For more information on virtualization and auditing, download the rest of Chapter 11: Auditing Virtualized Environments (.pdf).
Excerpted from IT Auditing: Using Controls to Protect Information Assets, 2nd Edition by Chris Davis and Mike Schiller, with Kevin Wheeler (McGraw-Hill; 2011), with permission from McGraw-Hill.